It looks like Skype has another big hole in their security. This one allows you to hijack any Skype account and read history in case you know skype login (account name) and e-mail of a person. It is interesting that this issue was posted to Skype support a while ago, but nothing were done since then.
Below is an algorithm reproducing the hijack of some account:
- You need to know Skype and corresponding e-mail address
- Register new Skype account using e-mail address from #1. You’ll got message that it is already in use – just ignore that and fill in the form further.
- Log in into new profile and add new e-mail (one you own) as additional.
- Log in to Skype client application
- Delete cookies, navigate to forgot password page and use e-mail from #1.
- Marker should be sent to e-mail, but e-mail isn’t sent skype client notification pop ups instead.
- Navigate by the link, you can see e-mail from #0 and all logins regstered for this e-mail, in the list you can see your login added in #2
- Now you can choose ANY login and change password
For now the only way to defend your account from hijacking is to register new e-mail address that was never disclosed to anyone and change the main e-mail address of the Skype account on Skype web site.
Attention! You cannot change main e-mail address in Skype client, only in Skype web site.
Discussion in Russian (http://habrahabr.ru/post/158545/)
Source in Russian (http://forum.xeksec.com/skype.html#post98725)
Eventually gizmodo published the news.
Skype officially stated: “We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologise for the inconvenience but user experience and safety is our first priority”.
It is funny since person who found this hole, contacted Skype support 2 months ago and nothing were done.